2022–01–27 Update: I just published another related blog post about enabling multi-factor authentication (MFA or 2FA) on pfSense IKEv2 VPN using Duo here.
Starting from March 2020 the city I live in entered into full COVID-19 lockdown. All businesses were closed and their employees were required to work remotely if possible. As the CTO of a small company I was tasked to upgrade the company’s existing VPN infrastructure to better support our now-fully-remote workforce.
The previous VPN setup was a IPSec/L2TP VPN in “mobile warrior” mode (meaning the VPN server at the office has a static IP but the clients connecting to it uses dynamic IPs). It worked fine, with just one pitfall. Two of our employees are from the same household. As the IPSec/L2TP VPN uses the remote client’s public IP to identify the remote end, there can only be one VPN connection from that household. My colleague and her partner could only take turns to access the company network from their desktop/laptop.
After some research I learned that a newer standard (IKEv2) uses an optional “remote client identifier” to identify the mobile warriors. This means my colleague and her partner can use different identifiers to connect to the VPN server even when they are on the same public IP.
Honestly, setup a new VPN infrastructure is not easy. There are too many moving parts that could go wrong. This article documents what I have done to setup this new IKEv2 VPN on the company’s pfSense router/firewall, as well as how to set up client-side connections on Windows 10, MacOS and Ubuntu Linux. I hope this would help the readers of this article avoid all the problems I had encountered and potentially save hours of time.
Without further delay, let’s dive right into the technical part.
First comes an external link. Here is the official pfsense tutorial (the “original tutorial”) for setting up an IKEv2 VPN in mobile warrior mode. I believe you must have read it if you were interested in this topic. If you have not, please read it before continuing, as I will not be plagiarizing its contents.
“Then why are you repeat this topic here?”, you may ask.
I ran into issues setting up remote clients after following the original tutorial. After spending hours searching for answers and experimenting solutions I finally determined that several configurations in the above tutorial need to be modified to make the remote clients work (especially for Windows 10 clients). I wrote this article to show you these changes.
Changes Required on Server-End
The key to make Windows 10 clients work with this IKEv2 VPN is to include certain cryptographic algorithms that were not mentioned in the original tutorial. Windows 10’s built-in VPN client doesn’t support the algorithms (e.g. SHA256 and 2048-bit Diffie–Hellman) specified in the original tutorial out-of-box.
To make Windows 10 clients work, we need to add support to the following algorithms on the server-end.
- DH group 2 (1024-bit) for Phase 1
- SHA1 for Phase 2
With these two slightly weaker algorithms added, the Windows 10 built-in VPN client will be able to connect to the pfSense IKEv2 VPN server.
There are other tutorials on how to force Windows 10 to use the default (and stronger) algorithms so the changes I mentioned here are no longer needed. I won’t get into details of that as those are for truly advanced users. Plus, although the 1024-bit DH and SHA1 are considered to be weaker algorithms by the security industry, it may be “good enough” if you are not protecting state secrets. That will be your judgment call.
Setup Windows 10 Client
With the changes to the server configuration completed we can now connect using Windows 10’s built-in VPN clients. It is worth mentioning that IKEv2 is a relatively new protocol and older Windows versions (such as Windows 7) does not support it.
There are two path you could follow to the VPN setup page on Windows 10. Oddly enough though, based on some sources online, the path you took will impact certain default settings. We will get into this in a later section when we talk about fixing remote gateway settings.
The path I used is the Start menu and search for VPN Settings. Once you are there, click the Add a VPN Connection button and use the following configurations. (If you followed the original tutorial these are the settings. If you made your own changes on the server end I would assume you know what to do here too.)
One issue I spent hours to locate and fix was a default mis-configuration about remote gateway. Read on.
When you click Save button to create the VPN connection, Windows will automatically create a virtual network interface for this VPN. You can find a Status button on the left side of the VPN Settings window. Click it and you will see Change Adapter Options.
Once you are there you will see the virtual network interface created by Windows. It has the same name as you named your VPN connection.
Right click that virtual adapter and select Properties. You will find Networking settings there. Follow through the screens as shown below you will eventually reach the Advanced TCP/IP Settings window. You need to make sure that the “Use default gateway on remote network” option is selected, otherwise your computer won’t send its traffic the VPN.
With the above steps your Windows 10 machine is ready to establish the IKEv2 VPN connection. Congratulations!
Setup MacOS Client
Mac client is the easiest to setup with. It works out-of-box with default settings.
To set up the MacOS client, go to the Network section under System Preferences. Then click the “+” button to add a new network connection. Select IKEv2 as the VPN type.
Then, enter the VPN servers address and its peer identifier. If you followed the original tutorial exactly the server identifier is the same as the domain name. For the Local ID part, you use the username so multiple users can connect to the VPN server under same public IP.
Finally, click the Authentication Settings button and enter your credentials.
Now you can establish the IKEv2 VPN from you Mac. No extra configurations or tweaks required.
Setup Ubuntu Client
For this section I would assume the readers are more or less tech savvy. So I will not get into details like step-by-step screenshots. Please feel free to leave a comment if you do have unanswered questions after reading this section.
First step of setting up the VPN client on Ubuntu 18.04 LTS or 20.04 LTS is to install the required packages. Assuming you are using the default Ubuntu image (that is, using Unity desktop), you will need to install the following.
sudo apt update
sudo apt install -y network-manager-strongswan libcharon-extra-pluginsThis will add the IKEv2 option to your Add VPN window under the Network Settings.
Choose IKEv2 as the VPN type, then enter the following configurations. Besides all the normal stuff, just make sure the “Require an inner IP address” is checked. Without this option the Ubuntu client will not be able to talk to the VPN server.
Click Apply and you are ready to connect to the IKEv2 VPN server.
Conclusion
I hope you found this article to be a good supplement to the original tutorial. I also hope this article helped you in solving your connectivity issues.
I like solving problems. Almost all my learning came from solving problems, be it my own or from someone else. Please feel free to reach out and leave me a comment if you have other questions.
